[
https://issues.apache.org/jira/browse/SM-5083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré resolved SM-5083.
--------------------------------------
Assignee: Jean-Baptiste Onofré
Resolution: Duplicate
> Spring4shell vulnerability mitigation in
> [org.apache.servicemix.bundles.spring-beans] [5.3.5_1]
> -----------------------------------------------------------------------------------------------
>
> Key: SM-5083
> URL: https://issues.apache.org/jira/browse/SM-5083
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-bean
> Affects Versions: 5.6.3
> Reporter: Shubhangi Raut
> Assignee: Jean-Baptiste Onofré
> Priority: Critical
>
> *Severity :* Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0
> *Weakness :* Sonatype CWE: 470
> *Source :* Sonatype Data Research
> *Explanation :* The spring-beans package is vulnerable to Remote Code
> Execution [RCE]. The constructor method in the CachedIntrospectionResults
> class allows the loading of arbitrary classes. A remote attacker can exploit
> this vulnerability to upload a malicious class and ultimately result in RCE.
> This issue is due to an insufficient fix for CVE-2010-1622.
> :We are still investigating other avenues of attack but out of an abundance
> of caution, and media attention, are releasing this advisory now.
> *Detection :* The application is vulnerable by using this component, if using
> Java version 9 or above.
> Mitigation: Upgrade spring version to latest available.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
